In response to some major disasters in the 1970s and ‘80s, in which control system failures were contributing factors, a new culture of industrial process automation safety was born. As part of this movement, end-users, industry associations, and equipment suppliers alike moved to more closely consider control and safety applications with the aim of minimizing common modes of failure. For decades, it was common to build certain protections into the Basic Process Control System (BPCS) to prevent failures. However, the new approach focused on separation between control and safety applications to reduce failures. In the ‘90s, the ISA-SP84 Committee settled on the term Safety Instrumented System (SIS) to describe an independent automated safety system.
Today, if the layers of safety measures built into a modern process control systems were peeled back, one would likely find the SIS at the outermost level, providing the last preventive layer of protection against undetected and detected equipment failures that lead to unsafe process conditions.
Inherently safer process design is most effective in preventing hazardous conditions that could result in a loss of containment. BPCS (Basic Process Control System), operator response, and SIS layers may be able to prevent a release, while relief systems, containment barriers, and emergency response may only lessen the impacts of a release.
Image courtesy of Primatech, Inc.
Key Principles of SIS
“The key change in approach in the late 1980s and early ‘90s was the recognition that risk-based criteria needed to be used to determine when additional protection layers were required, and that the reliability of all the various means of risk reduction needed to be examined more quantitatively,” says Geoff Barnard, P.E., Functional Safety & SIS group leader at Primatech, Inc.
The SIS is generally employed in addition to the BPCS. The primary function of the SIS is simple: to ensure safety. But the systems can be quite complex. SISs are usually designed with a high degree of redundancy and diagnostics to detect and minimize dangerous failures that could prevent the process from reaching a safe state.
“A properly designed, installed and maintained SIS protects the assets, people and the environment,” says Mandar Phadke, CEO of Abhisam Software. “The SIS is just one of the layers of protection that a modern process plant has, but it is a very important layer.”
Other layers of protection can include the operators, the BPCS, BPCS-based alarms and interlocks, safety relief valves, dikes, scrubbers, flares, and so on. Protection layers can be preventive or mitigative. “The SIS is the last preventive layer of protection, hence it is important,” says Phadke. And according to Barnard, even with improvements in BPCS reliability, in many cases the SIS may be the only protection layer that can respond quickly enough to prevent a loss of containment.
The SIS lifecycle is a continuous process based on a central management plan with documentation, verification and validation required throughout.
Image courtesy of Primatech, Inc.
SIS & Standards
Experts agree standards play a very important role in the world of Safety Instrumented Systems. Because SISs provide a high degree of risk reduction, they are covered by fairly rigorous Functional Safety standards. Functional Safety requirements apply to systems that take specific actions in response to specific inputs in order to provide risk reduction. For process industries, the International Electrotechnical Commission (IEC) has IEC 61511; for devices, such as transmitters and controllers, the standard is IEC 61508. And the current ANSI/ISA84.00.01-2004 standard is now fully harmonized with IEC 61511. ISA and its Automation Standards Compliance Institute (ASCI) currently have three certificate programs that are designed to increase knowledge and awareness of the ISA84 standard.
“It is important to know that these Functional Safety standards cover more than just the engineering and design process,” Barnard says. “They present a ‘lifecycle’ management process, which begins with a hazard and risk assessment and carries through the design, installation, operation, maintenance, and modification of the system over the life of the process. There are many requirements, not only for the system hardware and application software, but also for planning, documentation, and competency of personnel involved throughout the lifecycle.” Phadke says that adherence to these standards is considered “Good Engineering Practice” by government and regulatory authorities, such as OSHA.
SIS Design & Implementation
When devising SIS design and implementation strategies, end-users should be knowledgeable about the basic concepts related to SIS and the standards and regulations that apply to their region, country and industry.
Phadke says end-users should be aware of risk-assessment techniques, as well as the acceptable level of risk for their business or industry. “They also need to consider the effect of possible spurious trips, which not only cause loss of production, but can themselves be dangerous events in the complex plants of today,” he says. End-users should take into consideration the Safety Lifecycle and should be able to formulate effective Safety Requirement Specifications (SRS). “The SRS is very important because all subsequent development of the SIS, including validation activities, will be with reference to the SRS,” Phadke says.
Another thing to consider is that some SIS functions may need to be tested and maintained while on process in order to maintain their safety integrity level. Careful planning during the design phase will minimize disruptions and prevent unnecessary shutdowns.
In addition, Barnard says communication cannot be overemphasized throughout the lifecycle. Everyone who contributes needs to understand their roles and responsibilities and what key information they provide to the process.
“Complete specification of Safety Instrumented Systems requires input from many sources, and successful implementation depends on clearly documenting the requirements for those who will implement the system,” Barnard says, pointing out this often requires a strong leader to maintain technical ownership and approval authority over the entire process. Ideally, this leader would have a strong background in both process safety management and process control systems, he says.
When employing SIS for success some key steps end-users should keep in mind include:?
- Get engaged early in the design process.
- Don’t assume engineering contractors and equipment vendors understand their role in managing process safety at your plant.
- Appoint a senior experienced person to develop a Functional Safety Management Plan and provide technical oversight of the entire process.
- Conduct regular reviews to ensure the plan is being followed, and keep management, operations and maintenance stakeholders informed and involved as well.
“A safety system that is not trusted is more likely to be bypassed or defeated, and simple logic or instrument changes may be all that is required to prevent unnecessary shutdowns and keep the unit running smoothly,” Barnard says.
There is no official third-party certification of SIS field devices, meaning there are no requirements in any of the standards for a formal certification, and there are no agencies that have specific authority to grant certifications. However, there are certificates that come with devices to show the device has undergone an evaluation against the requirements of IEC 61508. “Frequently this involves a Failure Modes, Effects, and Diagnostics Analysis (FMEDA) to show the design is likely to ‘fail safe’ or detect its own failures a certain percentage of the time,” Barnard says.
He says that before selecting a device, end-users should understand what any applicable certificates imply, read the safety manual provided by the manufacturer for specific requirements for installation, operation and maintenance of the device for safety applications, and, most importantly, select technologies and materials that are appropriate for the application.
Certificates and manuals aside, the best source of information to consult, if available, is the plant’s own maintenance history. “Records of prior use in a similar service will not only provide the relevant failure characteristics of a device, but they will also factor in your plant’s specific environmental conditions, installation practices, and maintenance capability,” Barnard says. And if records aren’t being kept, he recommends adding an instrument failure data collection plan as part of a Mechanical Integrity program.
SIS: The Next Generation
In a nutshell, SIS ensures that people, assets and the environment are protected against catastrophe in industry. So what path will SIS take toward the future? “As people in general, including governments, ordinary citizens, and communities become more and more demanding that industries undertake robust safety management practices, SIS will only increase in importance,” says Phadke.
With such importance, advances in technology are sure to include more reliable systems with lower lifecycle cost and less intensive maintenance requirements, Barnard says. “Hopefully,” he says, “the SIS of the future will become even more transparent to unit operations, while providing greater insight into the health of the equipment and the state of the process.”
Integrated SIS BPCS systems are gaining wider acceptance, Phadke says. Fieldbus systems are also being implemented in many process plants, and he says there are moves to implement safety functions in Fieldbus networks too. This is to take advantage of the distributed nature of Fieldbus, as well as the diagnostics available in many Fieldbus devices today. “We are, therefore, moving back to the era where we used to have a lot of control in the field, rather than in the control room,” says Phadke.
Amy W. Richardson is the managing editor of Flow Control magazine. Contact her at [email protected].